OAuth & OIDC

OAuth 2.0 and OpenID Connect are two of the most widely used protocols to support secure and frictionless access delegation and single sign-on login solutions within web and mobile native applications.

Our focus:

  • Design of innovative scenarios: government profile, issuing and presentation of credentials using a wallet application
  • Assist mobile native application developers with the secure implementation of OAuth and OIDC solutions
  • Security analysis and pentesting of OAuth and OIDC solutions

Related Tools

Related Publications

  • Andrea Bisegna, Roberto Carbone and Silvio Ranise
    Integrating a Pentesting Tool for IdM Protocols in a Continuous Delivery Pipeline
    In: 4th International Workshop on Emerging Technologies for Authorization and Authentication (ETAA2021) (DOI)
  • Amir Sharif, Roberto Carbone, Giada Sciarretta, Silvio Ranise
    Best Current Practices for OAuth/OIDC Native Apps: A Study of their Adoption in Popular Providers and Top-Ranked Android Clients
    In: Journal of Information Security and Applications (JISA) (DOI, news)
  • Giada Sciarretta, Roberto Carbone, Silvio Ranise and Alessandro Armando
    Anatomy of the Facebook solution for mobile single sign-on: Security assessment and improvements
    In: Computers & Security Journal (COSE), Volume 71, November 2017, Pages 71-86 (DOI)
  • Giada Sciarretta, Alessandro Armando, Roberto Carbone, and Silvio Ranise
    Security of Mobile Single Sign-On: a Rational Reconstruction of Facebook Login Solution
    In: 13th International Conference on Security and Cryptography (SECRYPT 2016) (DOI, news)
  • Giada Sciarretta, Roberto Carbone, and Silvio Ranise
    A delegated authorization solution for smart-city mobile applications
    In: 2nd International Forum on Research and Technologies for Society and Industry (RTSI 2016) (DOI)

Related Theses

  • Amir Sharif (PhD Thesis, University of Genoa, 2021)
    Analysis of Best Current Practices to Assist Native App Developers with Secure OAuth/OIDC Implementations
    Co-supervisors: Silvio Ranise, Giada Sciarretta
  • Claudio Grisenti (Bachelor's Thesis, University of Trento, 2020)
    A pentesting tool for OAuth and OIDC deployments
    Supervisor: Silvio Ranise | Co-supervisors: Andrea Bisegna, Roberto Carbone
  • Davide Piva (Bachelor's Thesis, University of Trento, 2019)
    Assisting Developers in Securing OAuth 2.0 Deployment: Demystifying Threats and Protection Techniques for Bearer Credentials
    Supervisor: Silvio Ranise | Co-supervisor: Giada Sciarretta